Never Trust A VPN Provider That Doesn't Accept Bitcoin

It was the nightmare come true. An unscrupulous VPN provider that happily handed over identifying information to law enforcement, providing a cold-shower reminder that security consciousness can be the very real difference between life and death.

As the VPN provider HideMyAss.com happily identified a person at the request of law enforcement, it was a jaw-drop moment for many of us. This was the exact thing that was supposed to not happen. It was supposed to be physically impossible; the log files were not supposed to exist. Many rightly criticize the company for advertising a service they didn’t deliver, and from their defense of righteousness and entitlement in a “we did nothing wrong” statement, it is obvious that they are completely oblivious to the concept of lawful evil:

Our VPN service and VPN services in general are not designed to be used to commit illegal activity. It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.

I mean, like, wtf? I am speechless. Flabbergasted. Tell this to the activists of Egypt, Syria, or Palestine. Then try to say with a straight face that the countries in the West are completely different when it comes to Net censorship and corruption.

As a quick recap, just because something is lawful, that doesn’t make it good. This is most obvious in hindsight. Homosexual individuals were criminal from birth in most countries two generations ago, and still are in many. Forced sterilizations were legion one generation ago in countries we consider civilized. In retrospect, this is pure evil, even if it was the law.

My point here is that anybody who thinks that the future won’t think exactly this of today’s laws is delusional. There are still many examples of evil going down in the name of the law, today. I am sure all of us can think of several examples.

Therefore, the activists fighting against this evil and for a change of society have a very legitimate reason to hide themselves from law enforcement. But breaking the law is not the only reason to use a VPN or other kind of cryptographic tunnel.

Because, after all, you can desire to be private and untrackable for many legitimate purposes. The future always judges the activists who fight for good to have been completely legitimate in retrospect, even though they were lawbreakers in their own time. (Consider Greenpeace, which were considered borderline terrorist in their time, who are now instead borderline heroes.)

Regardless of the necessity of people breaking the law to advance society, there are many other legitimate reasons to be private. You probably lock the door when you go to the toilet, for instance. Not because you know that it may get you in trouble with authorities, but simply because you want that moment to yourself.

The shameful deceit of HideMyAss.com forces us to revisit many assumptions. It goes back to the basic information advantage game: who has what information, and in particular, is there anybody who knows what I do online and who I am? If so, that is a weak link that needs to be addressed.

Specifically, we have seen now that we can’t trust VPN providers with our identity, as — no shocker, really — a “trust us with your life” isn’t worth the recycled electrons it’s displayed with when it comes from a marketing department that really says “trust us with your money“.

So how to you separate the good from the bad tunnel providers without risking to become the case that uncovers the bad apple? Nobody wants to take that risk. For some, it’s even a matter of life and death. The obvious conclusion is that nobody should trust a VPN or tunnel provider with their identity — and that VPN providers who demand the identity of their subscribers cannot, should not, and must not be trusted.

Specifically, this means that nobody should pay commercial VPN or tunnel providers with a credit card.

Now, in the case of commercial providers, that does pose a bit of a problem. There are only two somewhat anonymous payment methods: cash and bitcoin. And people who pay in person by cash have frequently been tracked by CCTV cameras.

I’m therefore going to argue that bitcoin, while not perfectly anonymous, offers the best level of identity protection of the available payment systems. The exchange where you get your bitcoin knows your identity, but the places where you transfer them after that don’t.

I just learned in the wake of this scandal that at least one VPN provider, AirVPN, is now accepting bitcoin. (HugeHedon tips us off in the comments to this post that they have commented extensively on the situation, agreeing with the message of this article and going a good bit further.)

In closing, we also need to take some care with other details that the VPN or tunnel provider will know and that can be used against us. The provider will know our originating IP address. If we do something that authorities don’t like, this can be used to track us. Therefore, the IP address of origin should be a public place like a café, a bus, an airport, or similar. There will be CCTV cameras, which need to be considered.

The public location may be able to identify your computer through its MAC address (its individual network interface), if logs are kept. Assume logs are kept. Therefore, it may be possible to tie your computer to having had a specific IP address in the public location, an IP address which a hostile tunnel provider gives to law enforcement. If you want to mitigate this risk, use USB wi-fi sticks (some €15) and change them regularly, discarding and destroying used ones. Better yet, change your network MAC address regularly if you can. Google for how to do it.

And of course, you should never give your identity to the wi-fi network in the public location, either. That’s just as dangerous as giving your identity to the VPN provider, which is able to track you to the public network.

As a final note, always route through multiple countries under jurisdictions that have serious problems cooperating. Like Israel, from there to Iran, on to North Korea, and end it up with Germany which has strong privacy laws. (If you find tunnel entrances and exits in Iran and North Korea, that is. But as an example.)

Rick Falkvinge

Rick is the founder of the first Pirate Party and a low-altitude motorcycle pilot. He works as Head of Privacy at the no-log VPN provider Private Internet Access; with his other 40 hours, he's developing an enterprise grade bitcoin wallet and HR system for activism.

Related Posts

Discussion

It seems to me that, however carefully you choose a VPN provider, you are likely to end up giving them more identifying information than you might want to. For those communications requiring a high degree of privacy, using Tor to remove that single point of failure would seem wise.

I have been using them for quite some time now. Their speeds are fantastic, p2p allowed and they do not even log connect and disconnect times like HMA and many others do.

All I know is that with the limited information that https://VPNme.com requires when you pay with bitcoin they must be taking my privacy seriously.

They also allow you to have two concurrent connections on the cheapest plan with unlimited bandwidth and allow you to use all protocals no up charges.

Freddie

Reginald the Anonymous

January 28, 2013

Tor has it’s vulnerabilites too. I can’t find the article at this moment, but researchers were able to pull actual IP addresses from the tor network via some tech trickery.

Bitcoin is great. You can also use prepaid credit cards for vpn providers that don’t accept bitcoin but don’t require anything more than an email address, payment method and password.

I don’t think HIdeMyAss ever stated that they didn’t keep logs. Their name is a bit misleading though, considering how fast they handed the hacker over.

I think picking a vpn that doesn’t keep logs is way more important than picking one with bitcoin. If your network activity is untraceable, who cares if they know who’s paying. People seem to want to go with offshore vpn’s for added privacy, but actually the united states might be the safest for these reasons:

1) The us is one of the few developed nations without mandatory data retention policies

2) U.S. companies actually are bound to do what they say and advertise. If I company said they didn’t log when in fact they did, they could be liable. US companies are less likely to have malicious intentions towards their customers. Who knows what that startup vpn from malaysia is doing with your information.

Another example of bitcoin provider is http://mullvad.net/sv/bitcoin.php .
Also, if paying with bitcoin, and then connecting to the VPN via TOR network, could make you reasonably anonymous. It will make it harder for TOR sniffers to find out what you are doing. But if you are downloading a lot via this solution, you are putting a big strain on the TOR network.
Lastly, how do you anonymously set up the deal with the VPN provider, payment method aside? You still need to communicate. TOR might hold some answers here, but I doubt they are adequately implemented yet.

dustinc

September 29, 2011

mullvad is a GREAT service! all the way from texas, i get 90% of the speed of my internet. The only problem i have is youtube can be iffy, but you try and encrypt streaming data without it chopping up – its not easy! I personally do not care for tor as it is slow. its good, but slow.

I pay mullvad via bitcoins. Once you pay, they give you an account id that can be used to access their network for x days. Thats all their is to it, there isn’t really any verification involved. If you do have problems, their customer support is pretty good, all they ask is your account id that you use, if they ask that.

if you want, just keep a record of the bitcoin address you used to pay along with your account id, just in case they ask you for further verification. Like i said, i have had no problems with mullvad, and although i dont recommend using it to log into your facebook and im accounts (as with any vpn!) it does put another barrier between you and authorities.

Mullvad is safe to pay even by credit card, because they don’t even keep records of that. You pay, they delete. Mullvad keeps NO records. Sure you have an entry on your card statement showing a payment, but it doesn’t say you paid Mullvad either.

Edvard

July 21, 2016

My saviour is IPVanish. No logs, good speed, multiple device compatibility, easy to use interface, complete anonymity, great protocols, best for streaming and torrent downloading and highly recommended for online gaming.

PiratGurra

September 30, 2011

Why should you trust a VPN service enough to run binaries on your machine? That is clearly not necessary to run a VPN service… Sounds more like under-cover spyware to me.

Endless, Nameless

September 30, 2011

The more trustworthy VPN providers will not give you software to run on your machine, but will tell you what you need to have installed (such as Windows’ VPN client (such as it is) or OpenVPN). You will have to trust the manufacturer of your operating system and not the VPN provider.

Of course, the question then becomes “How far down the stack of turtles do you want to go?” in terms of where your trust ends?

PiratGurra

October 2, 2011

Yes, well.. There are a couple of turtles required to trust. As you say at least OS, hardware in your PC and network equipment can be “compromised” in some sense. In the end.. you even need to trust your landlord not to break into your home, or to allow others to, in case you are being too much of a pimple in someones butt… There is not much to do to protect your privacy if someone is granted physical access to your machine… right..?

Hrfz

January 6, 2012

The supplied software is just a preconfigured openvpn bundled with some GUI magic. There is no need to use it to connect through the mullvad vpn

Anonymous

May 29, 2012

It says clearly on the Mullvad page that you do not need their software to use Mullvad, OpenVPN works too. In fact, I use OpenVPN because i already had it on my machine because I used Anonine before. I switched to Mullvad because it felt safer to pay via cash sent by mail than via cell phone, and also Anonine added a Facebook plugin to their page (!) That was my limit. Mullvad can be paid in a few different ways, of which cash and Bitcoin are (somewhat) anonymous.
Since the cash is sent by mail, it will only look like you are posting a letter on any CCTV camera that may be present. However, you do leave fingerprints and DNA on the cash, so if extraordinary efforts are put in, you could still be identified if the money hasn’t yet been separated from your Mullvad account number and mixed with other money, or if the envelope is seized (In sweden “brevhemligheten” – “the mail secrecy” is strong (as of yet) and much is required for police to break it ).

But it’s still a matter of trust to a degree, because Mullvad can see your IP address. They clearly state that they do not keep any logs, but perhaps HMA did too… At least I trust Mullvad more than my ISP, that is forced to follow the Data Retention Directive.

Also, DO NOT Google for anything, Google is a privacy nightmare. Use something that doesn’t track you, like DuckDuckGo(.com) for example.

almosto

September 21, 2014

Mullvad offers exe to make things easier. You are not required to use it if you don’t want to, you can set OpenVPN manually.

Fred

January 12, 2013

Thomas,

The service I use that I posted above https://VPNme.com not only has Direct IP, and Nat modes for their VPN users that also have a proxy, and tor mode to hide your traffic without having to install the tor software on your on computer.

If you don’t trust a VPN provider to keep your identity hidden, then why use them at all?

Endless, Nameless

September 30, 2011

An excellent question.

E-mannen

September 28, 2011

In Sweden I think one can get one of these (from Pressbyrån or 7eleven)http://spendon.se/Information/
and use that to pay for a VPN. If one want to be really safe and secure of course do it with a clean computer and an internet-connection that hasn’t got your name attached to it.

And speaking of HideMyAss it’s quite easy to say “Boo, boo! You shouldn’t have done that!!”, but it’s really hard to know what one actually would have done in the same situation. Who knows, maybe they were threatened with Rendition and Gitmo? :-/

steelneck

September 29, 2011

That “SpendOn Presentkort” was a very positive news to me.

AnonymousCoward

January 8, 2012

If that was the case you can bet HMA wouldn’t have talked about it ever again, they would have been under a gag order for sure. Seeing how open they are about it just proves they had no problem cooperating.

noway

April 6, 2012

you can’t buy that shit without showing id-card, and it will get registred and connected with that cardnumber.

Of course the countries in the West are completely different when it comes to Net censorship and corruption. Don’t be silly. It’s not a black and white situation, but the differences are huge.

Pretending anything else is just demeaning the Arab Spring.

Scary Devil Monastery

September 29, 2011

“Of course the countries in the West are completely different when it comes to Net censorship and corruption.” Yes, and then again, No.

Western countries in general don’t care whether middle eastern dissidents communicate with one another through encrypted networks or whether journalists are able to communicate safely with sources or not. That’s not really the problem.

The problem lies in when Saudi Arabia or Turkey asks the US for such data, or when China leans on a “neutral” asian nation to provide ISP subscriber details from a local VPN. Both of these recipients have allies of which Amnesty International and the UN commission on torture have strong views.

I.e. if the US shares data with mid-east allies then you can’t trust any VPN which would provide the US with subscriber details. That’s all there is to it. In essence, being able to communicate without supervision is one of the most fundamental human rights and there is no way any provider of communication should have to record traffic data for law enforcement use after the fact én másse.

Colin

September 28, 2011

If you mean so called Western democracies are far more subtle than say the Syrian regime, you are right. Most of the time they convince the majority of their subjects that they are trying to act for the public good.
If you mean Western governments REALLY act for the public good and represent their electorates, I totally disagree. They act for the good of politicians, who are getting bribes from big business. Don’t forget the freedoms they have taken away in recent years in the name of ‘security’. Laws get passed, “to be used only against the worst terrorist threats’, and end up being used by local authorities for trivial offences.

PiratGurra

September 28, 2011

More “lawful evil” behaviour to report here… not very much about privacy or information policy though…

Is the operator actually mentally handicapped or just brainwashed by the authority..?

Vitalik Buterin

September 28, 2011

” If you want to mitigate this risk, use USB wi-fi sticks (some €15) and change them regularly, discarding and destroying used ones.”

Why not just give used ones away? If enough people do it, it’ll provide a standard of plausible deniability cover for everyone.

PiratGurra

September 28, 2011

That’s nice for as long as no one can monitor the exchange process… In the end you have to be able to trust the one you are switching with anyway. But I think it’s much better than sticking with the same one all the time.

Don’t use wifi if you’re concerned with anonymity and privacy. Even if WEP/WPA is secure, many free access points will log info.

Also instead of using Tor, it might be better (definitely higher speed) to use multiple VPN providers.

Name of My Choice

September 29, 2011

This will offend those of you who believe in the sanctity of property rights, but anonymous wi-fi connections can be found in nearly any residential area. There is an abundance of people too ignorant to secure their wi-fi setups. Their routers still have the factory default password, so if there are any logs, you can delete them.

Endless, Nameless

September 30, 2011

Or, you can do the owners of the access points (and the rest of us) a favor and turn off logging entirely.

@JAP stay away from it! They integrated tracking code into the protocol/clients on request of the German gov to hunt supposed pedophiles. In the end they tracked thousands of innocent users and catched *no* criminal pedophile.

I cannot believe no one has spoken of the obvious solution to this problem besides bitcoin….prepaid visa or mastercard (credit card style) gift cards.

Step 1: Go to grocery store or other source of pre-paid credit card style gift cards.
Step 2: register this gift card online with a pseudonym whilst using Tor.
Step 3: Register and pay for your year long VPN account with this gift card and your registered pseudonym.
Step 4: Enjoy anonymity, in a year, buy a new giftcard and repeat, maybe with a different VPN provider. Simple.

Obivous Problem

June 17, 2012

Step 1: Go to grocery store or other source of pre-paid credit card style gift cards. (let’s assume you’re smart enough to at least pay with cash)
Step 2: register this gift card online with a pseudonym whilst using Tor.
Step 3: Register and pay for your year long VPN account with this gift card and your registered pseudonym.
Step 4: Enjoy anonymity…until Law Enforcement decides they need to talk to you. All they do is serve a warrant with the VPN for your credit card info, then do the same with the gift card company to get the activation information, then get the CCTV footage from the grocery store at the time of activation.
Step 5: Your face on the 11 o’clock news, with viewers being asked to contact police if they recognize you.

There have been a few of these that have already been implemented — with wildlly varying degrees of success. * Escrow for low-value transactions EBay has been trying to figure out how to lessen fraud occurring by sellers. The result today is essentia…

Step 1: Go to grocery store or other source of pre-paid credit card style gift cards.
Step 2: register this gift card online with a pseudonym whilst using Tor.
Step 3: Register and pay for your year long VPN account with this gift card and your registered pseudonym.
Step 4: Enjoy anonymity, in a year, buy a new giftcard and repeat, maybe with a different VPN provider. Simple.
thank you anonymous but will this work in the UK?

vpn4iphone

April 8, 2012

I like what you have put, but i do believe you need a form of identity to obtain a pre paid visa card in the UK. If there is a way do tell, where and how.

I put together a VPN service for the iphone as the iphone already has the VPN software installed. We supply a username / password and server address thats it. I don’t want to know who you are.

You put this into your iphone and log into our servers. I don’t keep logs of any type and CRON is set to delete those that have to be created on the hour. Lets say i am very hard to reach… I see it this way if i am pulled in because ‘activity’ has been traced to my Servers IP. My expanation is simple i run a VPN server with no logs and lets face it if the sh** really hits the fan its always ‘no coment’ besides i haven’t come across any law that says i do need to keep logs.

I used tor and even isolated the exits so my son could watch US tv on his laptop, found 75% of the exits slow, but after going through one at a time there were 25% fast enough to watch a stream.

This is where i saw a VPN service was needed. Also an secure email server that resides within the VPN Servers so if two people join this service and have one of our local email accounts when they send each other a message via the web email page their message never leaves our system and when you collect it its under VPN so tunneled all the way. A secure way to communicate as the emails never leave our server.

Last of all i decided to just cover my costs and at a pound a week you can’t get better. If you want to send me cash put a email address in the envolope and we will email you the user id and password. Cant get any safer than that. Cash is untracable in this method sometimes its best to risk a couple of pounds for your total anonymous internet connection. You have to trust someone, dont you and trusting someone with a fiver is far better than trusting someone with your private browising history.

btw if i was paranoiod i would jack into a remote open wifi (you must have the owners permission first) using a ubuntu boot USB stick on a diskless notebook. With the lan disabled. Use a wifi usb adapter you can dump.

So the trace ends in Ireland (with our VPN) but if you dont trust our VPN the IP your connection is created from doesnt belong to you or can be traced back to you. If you use a local open wifi this could happen. If the boys in blue do a street search on those that are on the Electrol Role (lol – silly) and you are on it and you have a bit of previous your get a little visit, they will take the notebook. But the mac address is on the wifi adapter and ofcourse you hid that elsewhere, with the ubuntu stick which contains the Tor browser. OMG theres more, the tor browser disables all the usual whisles and bells javascript etc which reduces the sites you can actually see. So thats tors limitations well what i found. Remember use a remote open wifi not a local one. Sometimes you can’t find an open wifi point so you have to use a device such as a iphone4 VPN – thats how i got the idea. http://www.vpn4iphone.co.uk

Keep safe and be honest.

invisible

May 16, 2012

I used to be a hidemyass customer. I no longer use it anymore. If u dig through their support forum you can see there are tons of complains that hidemyass doesn’t refund after the trial ends. It is also extremely difficult to unsubscribe when you no longer need the service anymore. They are very creepy, they will tell you that you account will not be charged again but they will continue charging you anyhow. Even their hide my ass affiliates are not getting paid and earnings are being held. Stay away from this company. I am currently use Tor. it is slow. but it works and it is free.

Mark Ackley

July 3, 2012

If you are not satisfied with the hidemyass, then you can try Hotspot shield VPN as well.

Hotspot Shield Works on wireless and wired connections alike and Provides Unlimited Bandwidth.

What exactly do you mean by “activists in Palestine”? Do you mean people fighting for their freedom from their oppressive Palestinian leadership like Hamas, who incidently persecute homosexuals? I sure hope that’s what you meant.

I bookmarked your list because it was comprehensive. Then I saw you listed HIDEMYASS which this blog demonstrates is LYING to customers when it says it doesn’t keep the logs it turns over to the FBI. Clearly you have just complied this list to make money on referral fees and couldn’t care less about privacy. You have no conscience. UNBOOKMARKED!

Freddie

January 21, 2013

I think you are on point yourmama. I went to his page and noticed most of his links had referrer codes in them and he seems to have VPN’s that pay him the most in his top spots.

Just another person out to make a buck with bad advice.

Personally I use https://vpnme.com ( no referrer just like them ) the way it should be. Advice without monitary gain.

PureVPN is one of the top VPN providers in the VPN industry, know for providing the best security and privacy; and why should not it be so? PureVPN does what it does well; continuously enhancing the features of its services. Recently, PureVPN has added Bitcoin, the most anonymous online payment method, to its services. Now, with PureVPN your security is ensured even before you buy it!http://www.purevpn.com/blog/purevpn-teams-up-with-bitcoin-more-anonymity-for-the-users/

This design is incredible! You certainly know how to keep a reader
entertained. Between your wit and your videos, I was almost moved to
start my own blog (well, almost…HaHa!) Excellent job.
I really enjoyed what you had to say, and more than
that, how you presented it. Too cool!

Really enjoy this incredible website, awesome information here, was actually
a tid bit sceptical in regards to purchasing a steam shower
system for our house however, the information and knowledge here sorted
my head out, fantastic thanks

[…] It’s also interesting to see how effective VPNs are at protecting end-users who manufacture unlicensed copies of knowledge and culture from the monopolized copyright industry – apparently, the people behind Expendables 3 are on a suing spree, but hitting a no-log VPN on an end-address is literally a dead end – there’s nowhere to go from there. (Which is another reason to only use VPN services that a) create no logs, b) don’t demand personal information in the first place – like allowing payment with bitcoin.) […]

Make your images, videos, and infographics easy to pin by placing
them on the page rather than displayed as a background.
To add an exciting note to this aspect, popular public figures and top level politicians
are now harnessing the potential of this tool for their specific purposes.

Combined with the anonymous creating of Privatoria account via an Anonymous E-mail, specially crafted for me and not correlated with my own e-mail, name or other data, i believe it provides the highest level of security.

pashala

February 2, 2015

TOTOVPN is one such company that is committed to protecting online identities.
terms and commendation note: “TOTOVPS absolutely do not maintain any VPN activity logs. We utilize shared IP addresses rather than dynamic or static IPs,All Virtual Data is 128 bit encrypted(NO VPN data log / NO Packet Sniffing)”

I think everything published made a bunch of sense.
However, what about this? what if you added a little
content? I am not saying your content is not good, however suppose you added a post
title that grabbed a person’s attention? I mean Never Trust A VPN Provider That
Doesn

Meta

All original text on this site is under a Creative Commons Zero license ("public domain"). That includes any comments you submit. Syndicated articles that were first published elsewhere (clearly marked as such) are under the original license, typically a very permissive Creative Commons. Powered by Probewise.